VeriSign Payment Services

Transcription

1 VeriSign Payment Services Fraud Protection Services Guide USER GUIDE Customer Support: VeriSign, Inc /Rev. 2

2 VeriSign Payment Services Fraud Protection Services Guide VeriSign Payment Services Fraud Protection Services Guide VeriSign, Inc /Rev. 2 Copyright 2003 VeriSign, Inc. All rights reserved. Printed in the United States of America. Publication date: April 2003 Trademark Notices VeriSign is a registered trademark of VeriSign, Inc. The VeriSign logo, VeriSign Trust Network, and Go Secure! are trademarks and service marks of VeriSign Inc. XMLPay and OnSite are registered trademarks of VeriSign, Inc. Other trademarks and service marks in this document are the property of their respective owners. No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photographic, audio, or otherwise) without prior written permission of VeriSign, Inc. Notwithstanding the above, permission is granted to reproduce and distribute this document on a nonexclusive, royalty-free basis, provided that (i) the foregoing copyright notice and the beginning paragraphs are prominently displayed at the beginning of each copy, and (ii) this document is accurately reproduced in full, complete form with attribution of the document to VeriSign, Inc Note This document may describe features and/or functionality that are not present in your software or your service agreement. Contact your account representative to learn more about what is available with this VeriSign product. ii VeriSign, Inc /Rev. 2

3 Contents Contents Chapter 1 Introduction Fraud Protection Services Enrolling About this Document Intended Audience Document Organization Chapter 2 How Fraud Protection Services Protect You The Threats Protection Against the Threats The Account and Transaction Security Tools Account Tools Protect Against Hacking Filters Protect Against Credit Card Fraud Buyer Authentication Service Processors that Support the Buyer Authentication Service Special Considerations Merchants with an Instant Fulfillment Business Model Merchants using the Recurring Billing Service Protection From System-wide Threats The Premium Services Account Monitoring Service Security Audit Chapter 3 Configuring the Fraud Protection Services Configuring Security Features: Part 1: Run the Account Wizard Changing Settings Transaction Settings Configuring Security Features: Part 2: Run the Transaction Wizard Chapter 4 Using the Transaction Security Filters in Your Everyday Business Activities Reviewing Possibly Fraudulent Transactions Acting on Transactions that Triggered Filters Rejecting Transactions Fine-tuning Filter Settings Using the Filter Scorecard Ensuring Meaningful Data on the Scorecard VeriSign, Inc /Rev. 2 iii

4 VeriSign Payment Services Fraud Protection Services Guide Re-running Transactions if the Transaction Security Service is Unavailable Chapter 5 Performing Buyer Authentication Transactions Using the Payflow Pro SDK Testing the Buyer Authentication Service Buyer Authentication Transaction Overview Buyer Authentication Terminology Buyer Authentication Server URLs Detailed Buyer Authentication Transaction Flow Example Buyer Authentication Transactions Example Verify Enrollment Transaction Example Validate Authentication Transaction Example Payflow Authorization or Sale Transaction Buyer Authentication Transaction Parameters and Return Values Transaction Parameters Verify Enrollment Transaction Name/Value Pairs Validate Authentication Transaction Name/Value Pairs Standard Payflow Sale or Authorization Transaction ECI Values Logging Transaction Information Audit Trail and Transaction Logging Chapter 6 Screening Transactions Using the Payflow Pro SDK Response Values Testing Filters Transaction Data Required by Filters Transaction Parameters Unique to the Filters Example Transactions Logging Transaction Information Chapter 7 Viewing Buyer Authentication Reports with VeriSign Manager Generating a Buyer Authentication Audit Report Example Buyer Authentication Audit Report Generating a Buyer Authentication Transaction Report iv VeriSign, Inc /Rev. 2

5 Contents Example Buyer Authentication Transaction Report Transaction Detail Page Chapter 8 Responses to Credit Card Transaction Requests Contents of a Response to a Credit Card Transaction Request PNREF Value RESULT and RESPMSG Values RESULT Values for Communications Errors RESULT Values for Transaction Declines or Errors Appendix A How Filters Work Appendix B Fraud Filter Reference Filters Included with the Fraud Protection Services Filters Included with the Basic Fraud Protection Services Option Filters Included with the Advanced Fraud Protection Services Option.. 80 Special Case: Buyer Authentication Failure Filter About VeriSign s Risk Lists VeriSign s Guidance on Interpreting FIlter Results Transaction Data Required by Filters Unusual Order Filters Total Purchase Price Ceiling Filter Total Item Ceiling Filter Shipping Billing Match Filter High-risk Payment Filters AVS Failure Filter CSC Failure Filter Buyer Authentication Failure Filter BIN Risk List Match Filter High-risk Address Filters ZIP Risk List Match Filter Freight Forwarder Risk List Match Filter USPS Address Validation Failure Filter IP Address Risk List Match Filter Service Provider Risk List Match Filter Geo-location Failure Filter High-risk Customer Filters VeriSign, Inc /Rev. 2 v

6 VeriSign Payment Services Fraud Protection Services Guide Bad Lists International Order Filters Country Risk List Match Filter International Shipping/Billing Address Filter International IP Address Filter International AVS Filter Accept Filters Good Lists Total Purchase Price Floor Filter Appendix C Testing the Transaction Security Filters Price Ceiling and Floor Good and Bad Lists International AVS International IP Freight Forwarder Service Provider IP Risk List Country Risk List International Billing Address only Billing Shipping Mismatch High Order Number (passed in Line Item Detail) BIN Risk List Zip Risk List Appendix D Testing Buyer Authentication Transactions Using the Payflow Pro SDK Testing Buyer Authentication Transactions Buyer Authentication Test Server Payflow Pro Test Server Test Cases, Passwords, and Account Numbers Test Password Test Account Numbers Test Cases Expected Result Codes when Testing Buyer Authentication Buyer Authentication Testing Procedures Verify Enrollment Transaction Test Cases vi VeriSign, Inc /Rev. 2

7 Contents Example Return Values Validate Authentication Transaction Test Cases Procedure Example Return Values Appendix E Deactivating Fraud Protection Services VeriSign, Inc /Rev. 2 vii

8 VeriSign Payment Services Fraud Protection Services Guide viii VeriSign, Inc /Rev. 2

9 re t pahc CHAPTER 1 1Introduction Online fraud is a serious and growing problem, one that cost merchants an estimated $1 billion in While liability for fraudulent card-present or in-store transactions lies with the credit card issuer, liability for card-not-present transactions, including transactions conducted online, falls to the merchant. As you probably know, this means that a merchant that accepts a fraudulent online transaction (even if the transaction is approved by the issuer) does not receive payment for the transaction and additionally must often pay penalty fees and higher transaction rates. (One notable exception, buyer authentication, is described in this document.) VeriSign s Fraud Protection Services, in conjunction with your Payflow service s standard security tools, can help you to significantly reduce these costs and the resulting damage to your business. Important Enrollment Information: Merchants must meet the following eligibility requirements to enroll with and use the Fraud Protection Services products: 1 Merchant must have a current, paid-up VeriSign Payflow Pro SM or VeriSign Payflow Link SM gateway service account. 2 Merchant must be in Live mode (activated) with the gateway service. 3 Merchant must have its business operations physically based in the United States. 4 Merchant must use a terminal-based processor supported by the VeriSign Payflow SM gateway. VeriSign, Inc /Rev. 2 1

10 VeriSign Payment Services Fraud Protection Services Guide Fraud Protection Services Enrolling To enroll for Fraud Protection Services, click the banner on VeriSign Manager s Welcome page and follow the on-screen instructions. The following services make up the Fraud Protection Services suite. The online enrollment process describes enables you to enroll for each service. Fraud Protection Services Account Security Tools Transaction Security Tools Allowed IP Addresses Password Management Basic Fraud Filters Advanced Fraud Filters Transaction Review Transaction Review Transaction Settings Optional Account Monitoring Service Optional Buyer Authentication Service 2 VeriSign, Inc /Rev. 2

11 Chapter 1 Introduction About this Document Intended Audience This document is intended for Payflow Pro merchants who subscribe to any Fraud Protection Services options. Note In this document, we use the term fraudster to represent an entity (typically a person) attempting fraudulent activity. Document Organization Chapter 2, How Fraud Protection Services Protect You, describes the security tools that make up the Fraud Protection Services. Chapter 3, Configuring the Fraud Protection Services, describes the process of configuring all aspects of security management for your Payflow account. Chapter 4, Using the Transaction Security Filters in Your Everyday Business Activities, describes how to review transactions that triggered filters, and provides guidance on deciding on risk. Chapter 5, Performing Buyer Authentication Transactions Using the Payflow Pro SDK, describes the process of performing Buyer Authentication transactions using the Payflow Pro SDK. Chapter 7, Viewing Buyer Authentication Reports with VeriSign Manager, describes how to generate and interpret Buyer Authentication reports. Chapter 8, Responses to Credit Card Transaction Requests, describes the responses to a credit card transaction request. Appendix A, How Filters Work, describes the order in which the various types of filter are applied. Appendix B, Fraud Filter Reference, describes the Transaction filters that make up part of the VeriSign Fraud Protection Services. Appendix C, Testing the Transaction Security Filters, provides Payflow Pro transactions that you can use to test the filters. VeriSign, Inc /Rev. 2 3

12 VeriSign Payment Services Fraud Protection Services Guide Appendix D, Testing Buyer Authentication Transactions Using the Payflow Pro SDK, provides Payflow Pro transactions that you can use to test the Buyer Authentication Service. Appendix E, Deactivating Fraud Protection Services, describes the process of deactivating Fraud Protection Services. 4 VeriSign, Inc /Rev. 2

13 re t pahc CHAPTER 2 2How Fraud Protection Services Protect You This chapter describes the security tools that make up the Fraud Protection Services. In This Chapter The Threats on page 6 Protection Against the Threats The Account and Transaction Security Tools on page 6 Special Considerations on page 9 Buyer Authentication Service on page 8 Special Considerations on page 9 VeriSign, Inc /Rev. 2 5

14 VeriSign Payment Services Fraud Protection Services Guide The Threats There are two major types of fraud hacking and credit card fraud. Hacking Fraudsters hack when they illegally access your customer database to steal card information or to take over your gateway account to run unauthorized transactions (purchases and credits). The Account Wizard features minimize the risk of hacking by enabling you to place powerful constraints on access to and use of your VeriSign Manager and Payflow accounts. Credit Card Fraud Fraudsters can use stolen or false credit card information to perform purchases at your Web site, masking their identity to make recovery of your goods or services impossible. To protect you against credit card fraud, Fraud Protection Services uses software filters that identify potentially fraudulent activity and let you decide whether to accept or reject the suspicious transactions. Protection Against the Threats The Account and Transaction Security Tools Account Tools Protect Against Hacking The Account Wizard takes you through configuration of the tools that shut down hackers: On the Allowed IP Addresses page, you specify that all VeriSign Manager users must log in from computers that you identify by IP address. This security measure ensures that no one can log in from an unauthorized computer. In addition, Payflow Pro users can require that all transaction activity can originate only from authorized computers by specifying those IP Addresses. On the Transaction Settings page, you specify rules governing administratively performed transactions. For example, you can require that credits can be issued only for existing transactions or block the use of reference transactions. On the Password Management pages, you specify a password for access to VeriSign Manager and a separate password for Payflow Pro transactions. Use the password management pages to change the passwords frequently (VeriSign recommends once monthly). 6 VeriSign, Inc /Rev. 2

15 Chapter 2 How Fraud Protection Services Protect You Filters Protect Against Credit Card Fraud The configurable filters screen each transaction for evidence of potentially fraudulent activity. When a filter identifies a suspicious transaction, the transaction is marked for review. VeriSign Fraud Protection Services offers two levels of filters: Basic and Advanced. The filters are described in Appendix B, Fraud Filter Reference. For detailed descriptions of the filter levels, the order and logic of the screening process, and for specific variations from the simple flow described here, see Appendix A, How Filters Work. Example Filter The Total Purchase Price Ceiling filter compares the total amount of the transaction to a maximum purchase amount (the ceiling) that you specify. Any transaction amount that exceeds the specified ceiling triggers the filter. Configuring the Filters You configure each filter by specifying the action to take whenever the filter identifies a suspicious transaction (either set the transaction aside for review or reject it). Typically, you specify setting the transaction aside for review. For transactions that you deem extremely risky (for example, a known bad address), you might specify rejecting the transaction outright. You can turn off any filter so that it does not screen transactions. For some filters, you also set the value that triggers the filter for example the dollar amount of the ceiling price in the Total Purchase Price Ceiling filter. Some filters are designed to automatically accept transactions that meet specific criteria, like a known good customer s account number that you specify. The Transaction Wizard simplifies configuration by taking you through a step-by-step process. Chapter 3, Configuring the Fraud Protection Services, describes the process. Reviewing Possibly Fraudulent Transactions As part of the task of minimizing the risk of fraud, you review each transaction that triggered a filter to determine whether to accept or reject the transaction. Chapter 4, Using the Transaction Security Filters in Your Everyday Business Activities, describes the process. VeriSign, Inc /Rev. 2 7

16 VeriSign Payment Services Fraud Protection Services Guide Buyer Authentication Service VeriSign s Buyer Authentication Service integrates Visa s Verified by Visa and MasterCard s SecureCode into secure calls to the VeriSign-hosted Payflow service. These services prompt buyers to provide a password to their card issuer before being allowed to execute a credit card purchase. Buyer Authentication is the only screening tool that promises to shift fraud liability from the merchant. The Buyer Authentication password is the digital equivalent to a shopper s handwritten signature. The use of the password protects merchants from some chargebacks when a customer claims not to have authorized the purchase. The Buyer Authentication Service is a separately-purchased option and operates with the Buyer Authentication Failure filter. To enroll for the Buyer Authentication Service, click the Buyer Authentication banner on the VeriSign Manager Security welcome page. Follow the on-screen instructions. (In particular, both your processor and your acquiring bank must support buyer authentication. If they both support the service, then you can enroll for VeriSign s Buyer Authentication Service.) Processors that Support the Buyer Authentication Service The following processors support the Buyer Authentication Service: MasterCard Certified Processors FDMS Nashville Global Payments-East (NDCE) Global Payments-Central (MAPP) Paymentech Vital Visa Certified Processors FDC South FDMS Nashville Paymentech Vital 8 VeriSign, Inc /Rev. 2

17 Chapter 2 How Fraud Protection Services Protect You Special Considerations Merchants with an Instant Fulfillment Business Model For businesses with instant fulfillment business models (for example, software or digital goods businesses), the Review option does not apply to your business you do not have a period of delay to review transactions before fulfillment to customers. Only the Reject and Accept options are applicable to your business model. In the event of server outage, Fraud Protection Services is designed to queue transactions for online processing. This feature also complicates an instant fulfillment business model. Merchants using the Recurring Billing Service To avoid charging you to filter recurring transactions that you know are reliable, fraud filters do not screen recurring transactions. To screen a recurring billing profile, submit the transaction data using VeriSign Manager s Manual Transactions page. The filters screen the transaction in the normal manner. If the transaction triggers a filter, then you can follow the normal process to review the filter results. Protection From System-wide Threats The Premium Services Account Monitoring Service The Account Monitoring Service provides premium protection against unauthorized use of your Payflow account. VeriSign Account Monitoring Service includes: Transaction monitoring by trained VeriSign security professionals who identify fraudulent account activity prior to settlement. Proactive notification of suspicious account events Call-in number to security representatives to discuss suspicious account activity Complete investigation and research of suspicious account events. Includes: VeriSign, Inc /Rev. 2 9

18 VeriSign Payment Services Fraud Protection Services Guide Security Audit Investigation of VeriSign internet log files and all audit trails relevant to your account Packaging of all relevant data to be delivered to banks and law enforcement to assist in funds recovery and prosecution Determine whether your e-commerce site is secure from hackers with a free one-time online security scan from Qualys, a VeriSign partner. Qualys s web-based security auditing service determines whether your e-commerce site can withstand hacker attacks. The audit requires just minutes as it non-intrusively tests for thousands of known vulnerabilities. Scan results provide a complete view of your site s security in detailed browser-based reports that rank the severity of weak spots and link you to verified fixes. To request a free scan, see the Security section of VeriSign Manager. 10 VeriSign, Inc /Rev. 2

19 re t pahc CHAPTER 3 3Configuring the Fraud Protection Services This chapter describes the process of running the Account Wizard and the Transaction Wizard to configure all aspects of security management for your Payflow accounts. VeriSign, Inc /Rev. 2 11

20 VeriSign Payment Services Fraud Protection Services Guide Configuring Security Features: Part 1: Run the Account Wizard Step 1 Configuring Allowed IP Addresses for VeriSign Manager You can require that users access Payflow services only from computers that you have authorized access from any other computer is denied. You designate the computers by specifying their IP addresses on the Allowed IP Addresses page. 1 Click Security Account Setup Account Wizard. The Welcome page opens. Read the instructions and click Continue. The Allowed IP Addresses for VeriSign Manager page opens. 2 Read the instructions and enter the authorized IP addresses. Click the What Do I Do button for help in determining the appropriate IP addresses and in formatting the addresses properly. In particular, if you use a dial-up connection, then you might have a dynamic IP address. 3 Click Save and Continue. 12 VeriSign, Inc /Rev. 2

21 Chapter 3 Configuring the Fraud Protection Services Step 2 Managing your Passwords In the Old Password field, type your current password. In the New Password field, type the new password. In the Confirm Password field, retype the new password. Click Submit. VeriSign strongly recommends that you regularly change your passwords. Follow these guidelines when creating a password: The passwords should not follow a pattern. The password must be 6 to 32 characters long. The password is case-sensitive. The password cannot be the same as your Login name. The password must contain a mix of letters, numbers, and/or special characters. Passwords containing only letters or only numbers are not accepted. Single quotes, double quotes, ampersands ( " & ), and spaces are not allowed. VeriSign, Inc /Rev. 2 13

22 VeriSign Payment Services Fraud Protection Services Guide Do not send your password to others by Do not post or share your password The password should not contain any part of your company name or user name Changing Settings To change an IP address setting, click Security Account Setup Allowed IPs. To change a password, click Security Account Setup Password Management. Step 3 Configuring Transaction Settings Use the Transaction Settings page to specify restrictions on transactions from any VeriSign service: Payflow Link, Payflow Pro, and VeriSign Manager. These restrictions make hacking fraud extremely difficult. Note The Transaction Settings differ from the filters in that they restrict operations performed by administrative account users (VeriSign Manager users) whereas the filters restrict incoming customer transactions. (The Maximum Amount per Transaction setting is the only exception it places a limit on all transactions- both those initiated by a VeriSign Manager user and incoming customer transactions (either from Payflow Pro or from Payflow Link). To enhance security for your account by preventing unauthorized changes to the Transaction Settings page, the settings are handled in a special way: The Transaction Settings page is freely available for accounts in Test mode. Use the instructions in this section to determine your preferred transaction settings. When you move your account to Live mode, the transaction settings that you set in Test mode are applied to your account, and VeriSign removes the Transaction Settings page from the VeriSign Manager interface. To make changes to the settings, your authorized contact person must contact VeriSign Payment Services Customer Support at or vps-support@verisign.com. The Customer Support group then reactivates the 14 VeriSign, Inc /Rev. 2

23 Chapter 3 Configuring the Fraud Protection Services Transaction Settings page in VeriSign Manager so that you can alter the settings. Once you submit the settings, you will again no longer be able to view or edit them using VeriSign Manager. To alter the settings after you submit them, you must again contact Customer Support. Transaction Settings Maximum amount per transaction: Any Authorization, Sale, Credit, Delayed Capture, or Voice Authorization transaction greater than the amount that you specify is declined. Leave the field blank to allow any transaction amount up to the limit established by the processor or acquirer. IMPORTANT! This setting controls all transactions, even those that exceed the Total Purchase Price Ceiling filter (described on page 84). If the amount of a transaction is higher than the filter ceiling setting, but lower than the Maximum amount per transaction setting, then the transaction triggers the filter and is not affected by the Maximum amount setting. If the amount of a transaction is greater than the Maximum amount per transaction setting, then the transaction is automatically rejected, regardless of the filter settings. Maximum amount for credits: Any Credit transaction greater than the amount that you specify is declined. A setting of 0 (zero) disables credit transactions for this account. Allow non-referenced credits: Specify No to permit credits only against previous transactions. Specify Yes to allow any credit transaction to be processed. Note If you specify Yes for this option, then you cannot specify No for the Credits may exceed original transaction amount option. Credits may exceed original transaction amount: Specify No to require that the accumulated credit amount against this transaction may not exceed the original VeriSign, Inc /Rev. 2 15

24 VeriSign Payment Services Fraud Protection Services Guide transaction amount the credit can be for any amount up to the original transaction amount. Specify Yes to allow any credit amount up to the limit established by the processor or acquirer. Note If you specify No for this option, then you cannot specify Yes for the Allow Non-referenced Credits option. Allow Reference Transactions: Specify whether to allow the use of an existing transaction (the reference transaction) as a starting point from which to generate a new transaction. By default, reference transactions are not allowed. For example, if you select Yes, then VeriSign Manager users can generate a new Sale or Authorization transaction for a customer from a specified original reference transaction. The user can modify any aspect of the transaction, including the amount, before submitting the new transaction. Reference transactions are described in more detail in Performing Reference Transactions on page 32 of VeriSign Manager User s Guide. Select No to disallow the use of reference transactions. Configuring Security Features: Part 2: Run the Transaction Wizard VeriSign designed the Transaction tools to enable you to implement transaction security in phases. You first make and fine-tune fraud filter settings in a Test environment, then move to the live transaction environment to fine-tune operation in an Observe-only mode, and finally, when you are fully satisfied with your settings, you move to the Active mode to begin filtering all of your live transactions for fraud. Filters are fully described in Appendix B, Fraud Filter Reference. IMPORTANT! At the end of the configuration steps in each of these phases, you must deploy the filters. Filter settings take effect only after you click a button to DEPlOY the settings. Phase 1: Run test transactions using test Transaction servers In this phase of implementation, you configure filter settings for Transaction Security test servers that do not affect the normal flow of transactions. You then 16 VeriSign, Inc /Rev. 2

25 Chapter 3 Configuring the Fraud Protection Services run test transactions against the filters and review the results offline to determine whether the integration was successful. Phase 2: Run live transactions on live Transaction Security servers using the Observe mode In this phase of the implementation, you configure filters on live servers to the settings that you had fine-tuned on the test servers. In Observe mode, the filters examine each live transaction and mark the transaction with each triggered filter s action. You can then view the actions that would have been taken on the live transactions had the filters been active. Regardless of the filter results, all transactions are submitted for processing in the normal fashion. Phase 3: Run live transactions on live Transaction Security servers using the Active mode Once you have set all filters to the optimum settings, you convert to Active mode. Filters on the live servers examine each live transaction and take the specified action. Tip Remember that you can test a new filter setting using the test servers at any time (even if your account is in Active mode), and then, if desired, make an adjustment to the live filter settings. Payflow Link Merchants Once you switch to Active mode, the AVS and CSC checks that you may have previously set on the Payflow Link Configuration page are replaced by the AVS and CSC filter settings. Phase 1 Run test transactions against filter settings on test Transaction Security servers Payflow Link Merchants If you currently use Payflow Link in Live mode and you wish to return your Payflow Link account to Test mode because you added a Fraud Protection Services package, then you should know that in Test mode: All test transactions go to VeriSign s simulator servers. No transactions are submitted to the Processor network, therefore no funds are transferred. This means that all transactions on your account will be lost until you return your Payflow Link account to Live mode. Instead, you can skip this Phase and follow the steps in Phase 2 on page 20 to set up the Live servers. VeriSign, Inc /Rev. 2 17

26 VeriSign Payment Services Fraud Protection Services Guide In this phase of implementation, you configure filter settings for Transaction Security test servers that do not affect the normal flow of transactions. You then run test transactions against the filters and review the results offline to determine whether the integration was successful. Continue modifying and testing filters as required. Tip There is no per-transaction fee associated with operation on the test servers. 1 Click Security Test Setup Transaction Wizard. (Payflow Link merchants, use: Security Live Setup Transaction Wizard instead of Security Test Setup Transaction Wizard.) The Transaction Wizard Welcome page opens. 2 Move through each wizard page, following the on-screen instructions. At any time, click the What Do I Do button for instructions, or click a filter name to read a full description of the filter. Each filter is fully described in Appendix B, Fraud Filter Reference. For each filter, you: Turn the filter on (enable it) or off (disable it). 18 VeriSign, Inc /Rev. 2

27 Chapter 3 Configuring the Fraud Protection Services Specify the action that the filter should take when it is triggered. For some filters, you set the trigger value (for example, for the Price Ceiling filter, the trigger value is the transaction amount that causes the filter to set a transaction aside). Note If you have not enrolled for the Buyer Authentication Service, then the settings for the Buyer Authentication Failure filter are grayed-out and you cannot configure them. Items that you enter in the Test Good or Bad lists are not carried over to your configuration for the Live servers, so do not spend time entering a complete list for the Test configuration. 3 Once you complete the wizard pages, click Test on the Filter Deployment Test/Live page. If you do not deploy the filters by clicking Test, then your Test settings are not saved. All filters are configured, and you can begin testing the settings by running test transactions. Follow the procedures outlined in Appendix C, Testing the Transaction Security Filters. 4 Review the filter results by following the instructions in Reviewing Possibly Fraudulent Transactions on page Based on your results, you may want to make changes to the filter settings. Click Security Test Setup Edit Filters to open the Edit Test Filters page. You can change any filter setting on this page. VeriSign, Inc /Rev. 2 19

28 VeriSign Payment Services Fraud Protection Services Guide 6 Once you are happy with your filter settings, you can move to Phase 2. Phase 2 Run live transactions on live Transaction Security servers using the Observe mode Payflow Link Merchants: Once you switch to Live mode, the AVS and CSC checks that you may have previously set on the Payflow Link Configuration page are replaced by the AVS and CSC filter settings. In Observe mode, no action is taken on AVS and CSC. To take action if you are confident of your filter settings, deploy to Active mode. In this phase of the implementation, you configure filters on live servers to the settings that you had fine-tuned on the test servers. In Observe mode, filters examine each live transaction and mark the transaction with the filter results. The important difference from Active mode is that, regardless of the filter actions, all transactions are submitted for processing in the normal fashion. Observe mode enables you to view filter actions offline to assess their impact (given current settings) on your actual transaction stream. Note You are charged the per-transaction fee to use the live servers in Live mode (either Observe or Active). 1 Click Security Live Setup Edit Filters. The the Edit Filters page opens. Remember that in this phase, you are configuring the live Transaction Security servers. 2 Make any needed changes from the Phase 1 settings. 3 Click Continue on the Edit Live Filters page and on the Required Filter Data page. 20 VeriSign, Inc /Rev. 2

29 Chapter 3 Configuring the Fraud Protection Services 4 The Filter Deployment page prompts whether to deploy the filters in Observe mode or in Active mode. Specify Observe Mode. Once you deploy the filters, all transactions are sent to the live Transaction Security servers for screening by the live filters. In Observe mode, each transaction is marked with the filter result that would have occurred had you set the filters to Active mode. This enables you to monitor (without disturbing the flow of transactions) how actual customer transactions would have been affected by active filters. View the Review Transactions page to review filter performance. CAUTION VeriSign updates filter profiles hourly (roughly on the hour) to capture any changes that you make to settings. This means that you might have to wait up to an hour for your changes to take effect. VeriSign, Inc /Rev. 2 21

30 VeriSign Payment Services Fraud Protection Services Guide 5 The Required Data Fields page displays the list of transaction data elements that you must submit with each transaction. You may want to print this page. If a particular transaction data value is not submitted, then each filter that could not screen the transaction appears in the Unprocessed Filters section of Transaction Details page (described in Acting on Transactions that Triggered Filters on page 27). 6 Perform testing as in Phase 1 ( Reviewing Possibly Fraudulent Transactions on page 24). The Filter Scorecard (described on page 29) will be particularly helpful in isolating filter performance that you should monitor closely and in ensuring that a filter setting is not set so strictly so as to disrupt normal business. 7 Once you are happy with your filter settings, you can move to Phase 3. Phase 3 Run live transactions on live Transaction Security servers using the Active mode Once you have set all filters to the optimum settings, you convert to Active mode. Filters on the live servers examine each live transaction and take the specified action. 1 Click Security Live Setup Edit Filters. The Edit Live Filters page opens. 2 Click Continue on the Edit Live Filters page and on the Required Filter Data page. 3 On the Filter Deployment page, click Deploy Active Mode. At the top of the next hour, your live transactions will be inspected by the Transaction Security filters. 4 Use the instructions in Chapter 4, Using the Transaction Security Filters in Your Everyday Business Activities, to detect and fight fraud. IMPORTANT! Remember that you can make changes to fine-tune filter settings at any time. After changing a setting, you must re-deploy the filters so that the changes take effect. 22 VeriSign, Inc /Rev. 2

31 re t pahc CHAPTER 4 4Using the Transaction Security Filters in Your Everyday Business Activities As part of the task of minimizing the risk of fraud, you review each transaction that triggered a filter. You decide, based on the transaction risk profile whether to accept or reject the transaction. This chapter describes how to review transactions that triggered filters, and provides guidance on deciding on risk. Click the What Do I Do button on any Transaction Detail page to view VeriSign s recommendations for reviewing and acting on filtered transactions. Note The Fraud Protection Services package (Basic or Advanced) to which you subscribe determines the number of filters that screen your transactions. Basic subscribers have access to a subset of the filters discussed in this chapter. Advanced subscribers have full access. In This Chapter Reviewing Possibly Fraudulent Transactions on page 24 Fine-tuning Filter Settings Using the Filter Scorecard on page 29 Re-running Transactions if the Transaction Security Service is Unavailable on page 31 VeriSign, Inc /Rev. 2 23

32 VeriSign Payment Services Fraud Protection Services Guide Reviewing Possibly Fraudulent Transactions Transactions that triggered filters might or might not represent attempted fraud. It is your responsibility to analyze the transaction data and then decide whether to accept or reject the transaction. The first step in reviewing filtered transactions is to list the transactions: 1 Click Security Transaction Review Review Transactions. 24 VeriSign, Inc /Rev. 2

33 Chapter 4 Using the Transaction Security Filters in Your Everyday Business Activities 2 The Review Transactions page opens. 3 Specify the date range of the transactions to review. 4 Specify a Transaction Type: Transaction Type Reject Review Accept Unprocessed All Processed Description Transactions that the filters rejected. These transactions cannot be settled. The type of filter that took this action is called a Reject filter. Transactions that the filters set aside for your review. The type of filter that took this action is called a Review filter. Transactions that the filters allowed through the normal transaction submission process. The type of filter that took this action is called an Accept filter. Transactions that were not screened by any filter. This condition (Result Code 127) indicates that an internal server error prevented the filters from examining transactions. You can re-screen any of these transactions through the filters. All transactions that were screened by filters, regardless of filter action or whether any filter was triggered. 5 Specify transactions screened by the Live Transaction Security servers or by the Test servers, and click Submit. VeriSign, Inc /Rev. 2 25

34 VeriSign Payment Services Fraud Protection Services Guide 6 The Transaction Review page displays all transactions that meet your search criteria (in this example, transactions that filters set aside for review). Note If filters are deployed in Observe mode, then all transactions have been submitted for processing and are ready to settle. Transactions are marked with the action that the filter would have taken had the filters been deployed in Active mode. The following information appears in the report: Heading FPS ID Time Type Tender Type Amount Deployment Mode Description Unique transaction identifier. Click this value to view the Transaction Detail page. Time and date that the transaction occurred. The transaction status type, as described in the next table. MasterCard or Visa Amount of the transaction Test, Observe, or Active 26 VeriSign, Inc /Rev. 2

35 Chapter 4 Using the Transaction Security Filters in Your Everyday Business Activities The following transaction status types can appear in the report: Stage Status Result Code Report in which the transaction appears Message Screened by filters Pass 0 Approved report Approved Review 126 Approved report Under Review by Fraud Service Reject 125 Declined report Declined by Fraud Service Accept 0 Approved report Approved Service Outage 127 Approved report Unprocessed by Fraud Service After review by merchant Accepted 0 Approved report Approved Rejected 128 Declined report Declined by Merchant 7 Click the Transaction ID of the transaction of interest. The Transaction Details page opens, as discussed in the next section. Acting on Transactions that Triggered Filters The Transaction Details page displays the data submitted for a single screened transaction. The data is organized to help you to assess the risk types and to take action (accept, reject, or continue in the review state). As shown in the example, data that triggers a filter is marked by a link that displays the filter description. Note The Transaction Details page associated with filters differs from the Transaction Details page associated with standard VeriSign Manager reports. The standard page shows the status of a transaction that has been submitted for processing. The Transaction Details page associated with filters shows the status of a transaction that triggered a filter. VeriSign, Inc /Rev. 2 27

36 VeriSign Payment Services Fraud Protection Services Guide Click the What Do I Do button to read VeriSign s recommendations for reviewing and acting on filtered transactions. You may wish to print these recommendations. This transaction was set aside because it triggered the Price Ceiling filter ($9, exceeds the ceiling that you configured for the filter). Other filters were also triggered. Click a link to view the filter description. The transaction was not screened by any of the filters listed in the Unprocessed FIlters section because data required by the filter did not appear in the transaction data or was badly formatted. In special cases, all filters appear here. See Re-running Transactions if the Transaction Security Service is Unavailable on page 31 Specify the action to take on the transaction: Review: Take no action. You can return to this page at any time to reject or accept the transaction. The transaction remains unsettleable Reject: The transaction is not submitted for processing. See Rejecting Transactions on page 29. Accept: Submit the transaction for normal processing. See Rejecting Transactions on page 29. You can enter notes here regarding the disposition of the transaction or the reasons for taking a particular action. Click Save Changes to save the notes, apply the action, and move to the next transaction. Note You can also view transaction details for transactions that were rejected or accepted. While you cannot change the status of the transactions, the page provides insight into filter performance. 28 VeriSign, Inc /Rev. 2

37 Chapter 4 Using the Transaction Security Filters in Your Everyday Business Activities Rejecting Transactions If you decide to reject a transaction, you should notify the customer that you could not fulfill the order. Do not be explicit in describing the difficulty with the transaction because this provides clues for performing successful fraudulent transactions in the future. Rejected transactions are never settled. Fine-tuning Filter Settings Using the Filter Scorecard The Filter Scorecard displays the number of times that each filter was triggered and the percentage of all transactions that triggered each filter during a specified time period. This is especially helpful in fine tuning your Risk Management workflow. For example, if you find that you are reviewing too many transactions, then use the Filter Scorecard to determine which filters are most active. You can reduce your review burden by relaxing the settings on these filters (for example, by setting a higher amount for the Purchase Price Ceiling filter). VeriSign, Inc /Rev. 2 29

38 VeriSign Payment Services Fraud Protection Services Guide In this example, the Price Ceiling filter is triggered for 17% of all transactions possibly indicating that you might consider whether the ceiling is set properly. Ensuring Meaningful Data on the Scorecard The Scorecard shows the total number of triggered transactions for the time period that you specify, so if you had changed a filter setting during that period, the Scorecard result for the filter might reflect transactions that triggered the filter at several different settings. For example, you changed the Total Purchase Price Ceiling on August 1 and again on August 7. You then run a Filter Scorecard for July 1 to August 31. Between July 1 to August 31, three different price ceiling settings caused the filter to trigger, yet the Scorecard would not indicate this fact. To ensure meaningful results in the Filter Scorecard, specify a time period during which the filter settings did not change. 30 VeriSign, Inc /Rev. 2

39 Chapter 4 Using the Transaction Security Filters in Your Everyday Business Activities Re-running Transactions if the Transaction Security Service is Unavailable If the Transaction Security service is unavailable, then the transaction returns Result Code 127. The transaction is not screened by any filters and are held for resubmission. Follow these steps to resubmit the transactions: 1 Request all unprocessed transactions using the Review Transactions page as described in Reviewing Possibly Fraudulent Transactions on page 24. The summary page lists all unprocessed transactions 2 For each transaction that you wish to resubmit: Click the Transaction ID link to open the Transaction Detail page. 3 Click the Rerun Transaction button If successful, a message notifies you Transaction Successfully Processed by Filters. Click Done to return to the unfiltered transaction list (notice that the transaction that you just resubmitted is no longer in the list). All transactions are ultimately recategorized to Status Code Accept, Reject or Review. If unsuccessful, a message notifies you Reprocessing by Filters Failed Please Try Again. Click Rerun Transaction to retry. Tip If multiple attempts at screening fail, then the transaction may have data formatting problems. Contact Customer Service. If you encounter 50 or more transactions with Result Code 127, then contact Customer Service to resubmit them. VeriSign, Inc /Rev. 2 31